Implicit SSL
My provider has recently upped security settings to FTP files and I cannot get Dreamweaver CS4 to communicate with it.
According to the posting:
"You have to use Port 990 and Implicit SSL option (All client FTP software have this option) on client FTP software to do FTP on our server."
I can see how to set to Port 990 (Manage Sites/Remote Info/Advanced/Firewall Settings and select "Use Firewall") , but I do not see a selection for Implicit SSL and I cannot connect to the server.
To make certain it is not any other firewall settings, when testing, I turn off my computer firewall (Mac) and the modem (DSL) firewall.
I have tried using Passive FTP, IPv6, Secure FTP (which grays out the Use Firewall option), used the different Server Compatibility options, all without any luck.
Any suggestions?
If Secure FTP is the same as Implicit SSL, then it does not work with this server. To make things even more interesting is that when I select Secure FTP in Dreamweaver, the program grays out the "Use Firewall" selection. Since I cannot connect to the server, I can only conclude that I cannot use the Firewall and select the port to use, and use Implicit SSL at the same time.
Since more and more servers are using non-traditional ports for FTP, this is a major shortcoming of Dreamweaver's ability to keep track of files on the server and I may have to resort to another FTP program instead.
Similar Messages
-
Help required in connecting to Implicit SSL FTP server
Hi,
I am working on a scenario of File to Idoc.
Here the File server (FTP server) is using the Implicit SSL protocol which is not supported by PI.
Hence, we thought of using the scripts for this.
Using Script we will move the file from the FTP server to the PI directory & then using NFS protocol in channel, PI will read the file.
Here my query is, is it possible to go for such a design in case of Implicit SSL?
If yes, please let me know how it can be achieved.
I am referring the below blog of writing the scripts in case of SSH protocol:
/people/daniel.graversen/blog/2008/12/11/sftp-with-pi-the-openssh-way
Please let me know if any such blog/material is available for Implicit SSL protocol as well.
Your help is highly appreciated.
-Supriya.have you tried calling from ABAP ?
Connect FTP Server through R/3
There is something called SAP cryptographic kit which you need to install ,please check this link I am not sure
File has to pass through FTPS connection.. Connection parameters?
Port for Implicit SSL is 990
regards
Ninad -
FTPS/Implicit SSL connections filter
BorderManager 3.8 on NetWare 5.1 - I have plenty of successful
ftp-port-pasv-st exceptions that I use, but now I need one for an
FTPS/Implicit SSL connection, which *should* user port 990. But when I
define an exception (creating a new packet type, TCP, All source ports to
990, stateful) I'm able to connect, but I cannot browse folders or transfer
files. For grins I even tried making an exception for ALL TCP ports from my
FTP PC to their server - oddly, that wouldn't allow me to connect at ALL.
Drop filters, and I can get it to work just fine. I would do a TCPIP DEBUG =
0, but when I do that, BorderManager usually crashes now, and last time it
crashed, it would immediately abend on reboot, and it took me 4 hours to
crawl out of this hole.
I just recently got brave enough to make new filters again (it was making
them all disappear every time I made a change for the longest time).
Anyone have any experience with this form of FTP? I've done FTP of course,
SFTP, and other secure FTP transfers, but this is the first vendor who want
FTPS/Implicit SSL, which I understand is not nearly as prevalent as Explicit
SSL.
Thanks,
BruceOn Feb 26, 3:19 pm, "Bruce Lautenschlager" <[email protected]>
wrote:
> Reference the crashes - NDS came up clean after a few passes - and I still
> had the issues.
>
> I ended up running TCPVIEW on the workstation running WS_FTP Pro, and could
> see that the little ******* was opening up various ports from 1700 up.
> Different with every file. That blows. SFTP works on the same ports every
> time - but apparently this wasn't. Whatever. Maybe someday we'll have a realsecurestandard. Right now I transfer about every way known to man,
> including PGP and VPN. (But WS_FTP can't script PGP, hence I do a lot of
> SFTP and now this FTPS).
>
> I ended up making two non stateful exceptions on all ports from myFTPPC to
> theirFTPserver. Not the best solution....but - here's why I just needed
> something to hold me over for a week or two -
>
> After many years of BorderManager (and NetWare servers in general), I'm
> finally getting to do what they hired me for some years back - migrating to
> complete AD environment, including dual ISA 2006 Enterprise servers to
> replace BorderManager. I already did the NWSAA to HIS conversions. ZFD is
> about to give way to Desktop Authority. By next year, only GroupWise will
> remain (and probably not on NetWare OS), and since I only provide the web
> portion of that, what happens to that is of little concern to me.
>
> I appreciate all the help you've doled out over the years - especially Craig
> (and the very helpful book I finally bought a couple of years ago). No
> Novell bashing here...just going in a different direction.
>
> Thanks for your help,
> Bruce
>
> "Craig Johnson" <[email protected]> wrote in message
>
> news:[email protected]...
>
> > In article <[email protected]>, Bruce
> > Lautenschlager wrote:
> >> I just recently got brave enough to make new filters again (it was making
> >> them all disappear every time I made a change for the longest time).
>
> > Sounds like you have some NDS issues there that should be looked at.
>
> >> Anyone have any experience with this form ofFTP? I've doneFTPof
> >> course,
> >> SFTP, and othersecureFTPtransfers, but this is the first vendor who
> >> want
> >> FTPS/Implicit SSL, which I understand is not nearly as prevalent as
> >> Explicit
> >> SSL.
>
> > It seems to me that there are two flavors ofsecureFTP. One uses SSH,
> > and
> > just tunnelsFTPthrough an SSH connection. This is easy since you only
> > need
> > to allow port 22 through. The other seems to be like what you are seeing,
> > and
> > is using different ports than standardFTP, but still working likeFTPin
> > terms
> > of using more than one port (for control versus data). This second type
> > can be
> > very hard to work with since there is no statefulFTPexception to work
> > with
> > it.
>
> > I would solve the TCP debug issue first, and just grab the filtered ports
> > and
> > add exceptions accordingly. If your exception of all TCP to the target
> >server
> > failed, it may be because you also need one for traffic FROM the target
> >server.
> > (And your interface selections may have been done incorrectly in the
> > exception
> > you tried).
>
> > Craig Johnson
> > Novell Support Connection SysOp
> > *** For a current patch list, tips, handy files and books on
> > BorderManager, go tohttp://www.craigjconsulting.com***
The problem here is that each time you do a directory listing or try
to upload/download a file in FTP protocol you are using a passive
client connection. With each passive connection the server assigns a
port that the client should connect to for initiating the transfer.
Unless you specify a port range to use within the FTP server software,
this is generally a random open port on the server > 1024. Naturally,
this can make configuring your firewall a bit more difficult :( The
solution to this is to configure your server to use a fixed port range
for passive FTP connections e.g. 1200-1300. Then in your firewall you
can configure it to allow inbound connections on these ports. Most
servers support passive port range configuration. see your server
docs for details on how to do this. One such platform-independent
server that supports this is jscape secure ftp server ...
http://www.jscape.com/secureftpserver/
Hope this helps.
Rich -
Implicit SSL + FTP client???
Hi!
I've been looking for a FTP-client that supports the (not so common in the linux world) standard implicit SSL.
I've been trying IglooFTP, Kasablanca, lftp and kbear and so on..but none have worked...
does anyone have any ideas??
what I have found about implicit ssl, is that it is kind of standard in the windows world ((almost all ftp-clients such as ws_ftp and cuteftp supports it) but not in the rest of the world..hi there!
found this http://www.ford-hutchinson.com/~fh-1-pfh/ftps-ext.html
it is a list of which clients that supprts different ssl-implementations -
SSL/TLS for FTP connections
I've built somekind of advanced ftp server, and i would now like to add SSL or TLS on the server.
Implementing implicit SSL is easy. I used some SSL sockets, and everything was working fine.
But if i want to use TLS or explicit SSL, i have a problem.
With an SSL socket, any attemps to read/write with the streams initiate an handshake.
But an explicit SSL connection is done that way:
-> Connecting to myftpserver.com port 21
-> Connected to myftpserver.com
Server: Welcome to this nice ftp
Server: Enjoy this nice server
-> AUTH SSL
Server: 234 AUTH SSL successful
-> Now negociating SSL session...
So, as u can see, some data(welcome msg, AUTH SSL command, etc) are exchanged BEFORE the SSL negociation.
I dont know how to do that since "any attemps to read/write with the streams initiate an handshake"
I hope someone will be able to help me :)
DundeeWhat's wrong with my code then?You must make sure, before trying to send the first encrypted text, that both side are ready to negociate SSL.
I'm pretty sure your problem is about that.
Did you write both side (client and server) or only the client side?
Because if you are the author of the server side, you must also make sure the server will act as the server during the SSL negociation ( ((SSLSocket)s).setUseClientMode(false)).
So far, my understanding - based on my experimentation:
The client must ask to the server to start SSL communication, but MUST wait for the server to say it is ready before creating the SSL layer. This mean the client send - over the unencrypted communication - a command saying to the server: "i want to start to talk to you over SSL". Then the server answer "Ok, ,i'm ready". Then, and only then, the client create the SSL socket (over the already connected socket - as you seem to have done) and start the SSL negociation. By the way, it is not necessary to call SSLSocket.startNegotiate() explicitly, it will be called when sending the first block of data for the new SSL session.
I'm not sure if I made it clear. But I think the problem - the reason why you get the HandshakeException - is because the client try to negotiate SSL before the server is ready to accept SSL negotiation - maybe this should have been the only sentence of my answer ;-).
About the use of SSLContext; I feel that it only have value if you want to use your own customized X509TrustManager or X509KeyManager. For me, I found it very useful because my server certificate may not be valid as per the default validation algorithm. But basicly we can use the SSLContext the following way:
/* The creation of a KeyManager is a story in itself.
* The way I used it is to specify in my program the KeyStore to be used.
* I think it can be specified in other ways (-D java argument, for exemple).
* For now I not sure how useful it can be for the client side. (sorry)
KeyManager[] myKeyManagers= ....
/* The TrustManager give you the opportunity to do your own validation
* of the server / client - depending on the situation - certificate.
* For now, I don't know how to use TrustManager and KeyManager
* together.
TrustManager[] myTrustManager= new TrustManager[] {new MyX509TrustManager()};
/* The Key and Trust managers created above, can be used to initialize
* the SSL context below.
SSLContext context= SSLContext.getInstance("SSL");
/* Initialize the context with your customized managers.
* Note that all parameters are optional - they can be "null".
* You only specify those you have customized.
context.init( myKeyManager, myTrustManager, null);
/* Then later I can get my SSL socket factory, which will use my
* own customized key and trust manager and secure random.
SSLServerSocketFactory sslSSF= context.getServerSocketFactory();
SSLSocketFactory sslSF= context.getSocketFactory();I found an article in this forum about TrustManager.... seem very promising.
Hope this will help.
Hugues -
Need a good FTP/SSL client
Hi,
Can anyone suggest a good FTP client with SSL capabilities. I was looking at Jakarta's FTP Client but I don't think it works on SSL. Has anyone used edtFTPj/SSL? Are there any other such FTP clients?
Thanks.hi!
you searching for a client, a client library or what exactly?
if you are searching for a free client library supporting implicit ssl, ssl, tls and many more features - soon it will support proxy's then you should have a look on:
http://sourceforge.net/projects/ftp4che/
greets -
When ftp client use implicit SSL connect to ftp server,is the data connection is encrypted?
Can I use unencrypted data connection to download and encrypted connection in command?
I wrote a program and the client use ssl connect to server,I got a SSLException.
Remote host closed connection during handshake.
Why?Hi,
If you get "Remote host closed connection during
handshake" you certificates are probably wrong or
missing.
/Kajcertificate,server side program dosen't have this.
The server side program only has key from keytool.
How to get a certificate or use some certificate to simulate real certificate?
How tosimulate a certificate? -
Hi,
904AS - infrastructure install
During install I got OID,OHS and SSO configured and running. I didn't check always use SSL for OID connections.
After reboot OC4J_SECURITY is down OHS&OID are alive
I've noticed that http port (mine is 3060) is responding whereas ssl port (3130) is not.
Metadata repository access assume implicit ssl connection
Am I missing some post-install configuration of OID to get SSL working ? If so pleaee point me to the relevant sections in the documentation
TIA
PeteI've investigated things a little further
I can connect vis ssl/non ssl using both oidadmin/ldapbind so OID accept both (using orcladmin user)
Can't figure out why application server console fails (ldap error 49) to connect to metadata repository using same ssl portnr.
(logged on as ias_admin user) - so maybe password is skewed
ias_admin/orcladmin concept seem confusing -
i found a code using google to send a mail
import java.io.*;
import javax.mail.*;
import javax.mail.internet.*;
import javax.activation.*;
public class SmtpGmail {
public static void main(String[] args) {
SmtpSsl smtp = null;
// gmail username - CHANGE THIS
String username = "[email protected]";
// gmail password - CHANGE THIS
String password = "password";
// address to send mail to - CHANGE THIS
String to = "[email protected]";
try {
// create a new SmtpSsl instance connecting securely via port 465 using implicit SSL
smtp = new SmtpSsl("smtp.gmail.com",465);
// establish secure connection
smtp.connect();
// login using gmail account details
smtp.login(username,password);
// create new email message
EmailMessage message = new EmailMessage();
message.setTo(to);
message.setFrom(username);
message.setSubject("Sending email via Gmail SMTP");
message.setBody("This is the body of the message");
// send message
smtp.send(message);
// disconnect
smtp.disconnect();
} catch(Exception e) {
// capture any exception and print to console
e.printStackTrace();
SmtpGmail.java:9: cannot find symbol
symbol : class SmtpSsl
location: class SmtpGmail
SmtpSsl smtp = null;
^
SmtpGmail.java:21: cannot find symbol
symbol : class SmtpSsl
location: class SmtpGmail
smtp = new SmtpSsl("smtp.gmail.com",465);
^
SmtpGmail.java:30: cannot find symbol
symbol : class EmailMessage
location: class SmtpGmail
EmailMessage message = new EmailMessage();
^
SmtpGmail.java:30: cannot find symbol
symbol : class EmailMessage
location: class SmtpGmail
EmailMessage message = new EmailMessage();
^
4 errorsthis error is shown....is it because i couldnt add properly in environment variable??
my classpath of user variable looks like this
.;C:\javamail\javamail\mail.jar;C:\javamail\jaf\activation.jar;C:\javamail\javamail\lib\dsn.jar;C:\javamail\javamail\lib\imap.jar;C:\javamail\javamail\lib\mailapi.jar;
C:\javamail\javamail\lib\pop3.jar;C:\javamail\javamail\lib\smtp.jarI don't know what API you're using but it's not JavaMail.
The JavaMail FAQ will show you how to connect to Gmail, and will point you
to the source code of example programs you can use. -
Anybody interested in playing with my tool implementation of a ftp client
in forte feel free to email me, and I will send you it. I had tried to
post it to the user group, but it exceeded the size limitations (40000).
Could those of you who emailed me already please do so again. I deleted
your emails in anticipation of being able to post it to the user group.
Thank you,
Chris Henson
ATG Solutions Inc.
[email protected]
[email protected] (mail me here)
To unsubscribe, email '[email protected]' with
'unsubscribe forte-users' as the body of the message.
Searchable thread archive <URL:http://pinehurst.sageit.com/listarchive/>Hi,
Well, it appears that the 40 bit trial version of the
FTP server software was part of the problem. After I
found a trial FTP server version that had 128 bit
encrytpion, it no longer hung. However, I still get
an "Unknown SSL message, plaintext connection?" error
after I call startHandshake() after the "AUTH TLS-P"
or "AUTH SSL" command. However, setting the server
for implicit ssl and creating the ssl socket from the
beginning works just fine. Do secure sockets not work
with explicit SSL? Anyone have any ideas?
Thanks!
Anna I exactly get the same problem. In inmplicit SSL mode, eveything works just fine. But when I configure the server in explicit SSL mode, and thta my client is developped to create such connections, it doesn't work nad i get the same error message: "Unknown SSL message, plaintext connection?". Have you worked out this problem ???
I'm waiting for your answer -
Problem establishing SSL VPN from only 1 IP address
Hi,
I'm experiencing strange problem.
I can't establish SSL VPN connection from 1 IP address, but I don't have problem establishing SSL VPN from any other IP address.
Remote IP address: 10.0.0.1
ASA's public IP address: 192.168.1.1
Output of packet-tracer:
1. with problematic source IP address:
packet-tracer input wan tcp 10.0.0.1 50601 192.168.1.1 443 detailed
Phase: 1
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 192.168.1.1 255.255.255.255 identity
Phase: 2
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7fff37573f00, priority=119, domain=permit, deny=false
hits=861, user_data=0x0, cs_id=0x0, flags=0x0, protocol=6
src ip/id=0.0.0.0, mask=0.0.0.0, port=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=443, dscp=0x0
input_ifc=wan, output_ifc=identity
Phase: 3
Type: CONN-SETTINGS
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7fff38a10a50, priority=8, domain=conn-set, deny=false
hits=4069, user_data=0x7fff38770910, cs_id=0x0, reverse, flags=0x0, protocol=6
src ip/id=0.0.0.0, mask=0.0.0.0, port=0
dst ip/id=192.168.1.1, mask=255.255.255.255, port=443, dscp=0x0
input_ifc=wan, output_ifc=identity
Phase: 4
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7fff395c7d70, priority=0, domain=inspect-ip-options, deny=true
hits=4044934, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
input_ifc=wan, output_ifc=any
Phase: 5
Type: VPN
Subtype: ipsec-tunnel-flow
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7fff37560700, priority=13, domain=ipsec-tunnel-flow, deny=true
hits=2268518, user_data=0x0, cs_id=0x0, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
input_ifc=wan, output_ifc=any
Phase: 6
Type: TCP-MODULE
Subtype: webvpn
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7fff38a10cc0, priority=13, domain=soft-np-tcp-module, deny=false
hits=4627, user_data=0x7fff38c14300, cs_id=0x0, reverse, flags=0x0, protocol=6
src ip/id=0.0.0.0, mask=0.0.0.0, port=0
dst ip/id=192.168.1.1, mask=255.255.255.255, port=443, dscp=0x0
input_ifc=wan, output_ifc=identity
Phase: 7
Type: VPN
Subtype: encrypt
Result: DROP
Config:
Additional Information:
Reverse Flow based lookup yields rule:
out id=0x7fff375504a0, priority=69, domain=encrypt, deny=false
hits=40747, user_data=0x0, cs_id=0x7fff3754fa40, reverse, flags=0x0, protocol=0
src ip/id=192.168.1.1, mask=255.255.255.255, port=0
dst ip/id=10.0.0.1, mask=255.255.255.255, port=0, dscp=0x0
input_ifc=any, output_ifc=wan
Result:
input-interface: wan
input-status: up
input-line-status: up
output-interface: NP Identity Ifc
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule
If I run packet-tracer with any other source IP address, let's say 10.0.0.2, everything is OK:
packet-tracer input wan tcp 10.0.0.2 50601 192.168.1.1 443 de
Phase: 1
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 192.168.1.1 255.255.255.255 identity
Phase: 2
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7fff37573f00, priority=119, domain=permit, deny=false
hits=862, user_data=0x0, cs_id=0x0, flags=0x0, protocol=6
src ip/id=0.0.0.0, mask=0.0.0.0, port=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=443, dscp=0x0
input_ifc=wan, output_ifc=identity
Phase: 3
Type: CONN-SETTINGS
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7fff38a10a50, priority=8, domain=conn-set, deny=false
hits=4090, user_data=0x7fff38770910, cs_id=0x0, reverse, flags=0x0, protocol=6
src ip/id=0.0.0.0, mask=0.0.0.0, port=0
dst ip/id=192.168.1.1, mask=255.255.255.255, port=443, dscp=0x0
input_ifc=wan, output_ifc=identity
Phase: 4
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7fff395c7d70, priority=0, domain=inspect-ip-options, deny=true
hits=4047886, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
input_ifc=wan, output_ifc=any
Phase: 5
Type: VPN
Subtype: ipsec-tunnel-flow
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7fff37560700, priority=13, domain=ipsec-tunnel-flow, deny=true
hits=2270040, user_data=0x0, cs_id=0x0, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
input_ifc=wan, output_ifc=any
Phase: 6
Type: TCP-MODULE
Subtype: webvpn
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7fff38a10cc0, priority=13, domain=soft-np-tcp-module, deny=false
hits=4648, user_data=0x7fff38c14300, cs_id=0x0, reverse, flags=0x0, protocol=6
src ip/id=0.0.0.0, mask=0.0.0.0, port=0
dst ip/id=192.168.1.1, mask=255.255.255.255, port=443, dscp=0x0
input_ifc=wan, output_ifc=identity
Phase: 7
Type: USER-STATISTICS
Subtype: user-statistics
Result: ALLOW
Config:
Additional Information:
Reverse Flow based lookup yields rule:
out id=0x7fff3a1cc320, priority=0, domain=user-statistics, deny=false
hits=4902651, user_data=0x7fff3a0043c0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
input_ifc=any, output_ifc=wan
Phase: 8
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 4384689, packet dispatched to next module
Module information for forward flow ...
snp_fp_tracer_drop
snp_fp_inspect_ip_options
snp_fp_tcp_normalizer
snp_fp_tcp_mod
snp_fp_adjacency
snp_fp_fragment
snp_fp_drop
Module information for reverse flow ...
snp_fp_tracer_drop
snp_fp_inspect_ip_options
snp_fp_tcp_normalizer
snp_fp_adjacency
snp_fp_fragment
snp_ifc_stat
Result:
input-interface: wan
input-status: up
input-line-status: up
output-interface: NP Identity Ifc
output-status: up
output-line-status: up
Action: allow
I run packet capture on WAN interface - and I can only see incoming packets (SYN) with destination to tcp/443 but there isn't any outgoing packet (SYN/ACK).
I even can't open web page from internet browser (url https://192.168.1.1) when source IP is 10.0.0.1, but I can open "SSL VPN Service" web page from any other source IP address.
The only thing different with this IP address is that there's configured site-to-site (IPsec) vpn tunnel from same source to same destination IP address.
Here is the configuration of the tunnel:
group-policy GroupPolicy_10.0.0.1 internal
group-policy GroupPolicy_10.0.0.1 attributes
vpn-filter value VPN-ACL
vpn-tunnel-protocol ikev1 ssl-client
access-list VPN-ACL:
access-list VPN-ACL extended permit ip object-group DM_INLINE_NETWORK_83 object-group DM_INLINE_NETWORK_84
object-group network DM_INLINE_NETWORK_83
network-object 10.11.217.0 255.255.255.0
network-object 192.168.201.0 255.255.255.0
object-group network DM_INLINE_NETWORK_84
network-object 10.11.217.0 255.255.255.0
network-object 192.168.201.0 255.255.255.0
tunnel local & remote networks:
access-list wan_cryptomap_5 extended permit ip 10.11.217.0 255.255.255.0 192.168.201.0 255.255.255.0
crypto map wan_map 5 match address wan_cryptomap_5
crypto map wan_map 5 set connection-type answer-only
crypto map wan_map 5 set peer 10.0.0.1
crypto map wan_map 5 set ikev1 transform-set ESP-3DES-SHA
I've configured the same setup in my lab and I can't reproduce the error.
The SW version running on ASA is asa861-12.
I'm out of ideas.Just collected some other information:
1. traceroute shows that traffic is not leaving ASA at all
1 * * *
2 * * *
3 * * *
I double checked that there is no "strange" entry for remote public IP in routing. Traffic with destination to remote IP should be sent via default gateway like all other traffic.
2. debug crypto ipsec shows this information when I ping public IP address of the remote host (with VPN
IPSEC(crypto_map_check)-3: Looking for crypto map matching 5-tuple: Prot=1, saddr=192.168.1.1, sport=30647, daddr=10.0.0.1, dport=30647
IPSEC(crypto_map_check)-5: Checking crypto map wan_map 1: skipping because 5-tuple does not match ACL wan_cryptomap_1.
IPSEC(crypto_map_check)-5: Checking crypto map wan_map 2: skipping because 5-tuple does not match ACL wan_cryptomap_2.
IPSEC(crypto_map_check)-5: Checking crypto map wan_map 3: skipping because 5-tuple does not match ACL wan_cryptomap_3.
IPSEC(crypto_map_check)-5: Checking crypto map wan_map 4: skipping because 5-tuple does not match ACL wan_cryptomap_4.
IPSEC(crypto_map_check)-5: Checking crypto map wan_map 5: skipping dormant map.
IPSEC(crypto_map_check)-5: Checking crypto map wan_map 5: skipping dormant map.
IPSEC(crypto_map_check)-5: Checking crypto map wan_map 6: skipping because 5-tuple does not match ACL wan_cryptomap_6.
IPSEC(crypto_map_check)-5: Checking crypto map wan_map 7: skipping because 5-tuple does not match ACL wan_cryptomap_7.
IPSEC(crypto_map_check)-5: Checking crypto map wan_map 8: skipping because 5-tuple does not match ACL wan_cryptomap_8.
IPSEC(crypto_map_check)-5: Checking crypto map wan_map 9: skipping because 5-tuple does not match ACL wan_cryptomap_9.
IPSEC(crypto_map_check)-5: Checking crypto map wan_map 10: skipping because 5-tuple does not match ACL wan_cryptomap_10.
IPSEC(crypto_map_check)-5: Checking crypto map wan_map 11: skipping because 5-tuple does not match ACL wan_cryptomap_11.
IPSEC(crypto_map_check)-5: Checking crypto map wan_map 13: skipping because 5-tuple does not match ACL wan_cryptomap_13.
IPSEC(crypto_map_check)-5: Checking crypto map wan_map 65535: skipping dynamic_link.
IPSEC(crypto_map_check)-1: Error: No crypto map matched.
It really seems that the whole problem is that ASA is trying to encrypt traffic sent from public IP address of one VPN endpoint and targeted to public IP address of another VPN endpoint and send it to remote VPN endpoint via IPcec tunel.
There is indeed VPN tunnel established between both VPN endpoints, but there are just local and remote networks defined with private IP address space for this tunnel, VPN endpoint's public IP addresses are not included in the definition of this IPsec VPN tunnel.
And there are at least two more IPsec VPN tunnels configured the same way and I can't reprodure this error on there two VPN tunnels.
Any idea? -
SSL VPN - Bypass DefaultWEBVPNGroup
Hi All,
I'm using the default tunnel-group and group-policy for my general user community. I want to apply a filter for that group, and have a special use case for another group that bypasses the filter. My goal: for people hitting the "RAS_Engineering" group policy, I want to bypass the filter applied to "DfltGrpPolicy"
Is there a way for me to configure the group-policy so that it doesn't pick up the default settings? Here's what I have (some output omitted to reduce lines):
# sh vpn-session detail svc filter name amy.eryilmaz
Session Type: SVC Detailed
Username : amy.eryilmaz Index : 13568
Assigned IP : my.vpn.assigned.ip Public IP : my.pub.lic.ip
Group Policy : RAS_Engineering Tunnel Group : DefaultWEBVPNGroup
Clientless Tunnels: 1
SSL-Tunnel Tunnels: 1
Clientless:
Tunnel ID : 13568.1
Public IP : my.pub.lic.ip
Auth Mode : userPassword
Idle Time Out: 30 Minutes Idle TO Left : 29 Minutes
Client Type : Web Browser
Client Ver : AnyConnect Windows 2.5.3046
Bytes Tx : 11456 Bytes Rx : 3986
SSL-Tunnel:
Tunnel ID : 13568.2
Assigned IP : my.vpn.assigned.ip Public IP : my.pub.lic.ip
Client Type : SSL VPN Client
Client Ver : Cisco AnyConnect VPN Agent for Windows 2.5.3046
Filter Name : default-vpn-filter
group-policy DfltGrpPolicy attributes
wins-server value xx.xx.xx.xx
dns-server value xx.xx.xx.xx
dhcp-network-scope xx.xx.xx.xx
vpn-filter value default-vpn-filter
vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn
default-domain value mydomain.com
webvpn
svc ask none default svc
group-policy RAS_Engineering internal
group-policy RAS_Engineering attributes
wins-server value xx.xx.xx.xx
dns-server value xx.xx.xx.xx
dhcp-network-scope xx.xx.xx.xx
vpn-tunnel-protocol l2tp-ipsec svc
webvpn
svc ask none default svc
# sh run all tunnel-group DefaultWEBVPNGroup
tunnel-group DefaultWEBVPNGroup type remote-access
tunnel-group DefaultWEBVPNGroup general-attributes
no address-pool
no ipv6-address-pool
authentication-server-group my_radius
secondary-authentication-server-group none
no accounting-server-group
default-group-policy DfltGrpPolicy
dhcp-server xx.xx.xx.xx
no strip-realm
no password-management
no override-account-disable
no strip-group
no authorization-required
username-from-certificate CN OU
secondary-username-from-certificate CN OU
authentication-attr-from-server primary
authenticated-session-username primary
tunnel-group DefaultWEBVPNGroup webvpn-attributes
customization myCustom
authentication aaa
no override-svc-download
no radius-reject-message
no proxy-auth sdi
no pre-fill-username ssl-client
no pre-fill-username clientless
no secondary-pre-fill-username ssl-client
no secondary-pre-fill-username clientless
dns-group DefaultDNS
no without-csd
tunnel-group DefaultWEBVPNGroup ipsec-attributes
no pre-shared-key
peer-id-validate req
no chain
no trust-point
isakmp keepalive threshold 300 retry 2
no radius-sdi-xauth
isakmp ikev1-user-authentication xauthHi,
By default you will inherit any implicit values from the default group policy.
To stop inheriting the "vpn-filter" please do:
group-policy RAS_Engineering attributes
vpn-filter none
The same applies for any other feature within the group-policy, make sure you explicitly define every parameter according to the specific requirements.
Thanks.
Portu.
Please rate any helpful posts. -
PI 7.1 FTP(S) - adapter with implicit connection type?
Hi,
We have encountered some issues involving FTP connection with SSL/TLS because the standard FTP - adapter in SAP PI 7.1 doesn't support the connection type "implicit". Many of our customers use FTP servers with connection type implicit and are somewhat reluctant or unable to configure the server to accept explicit connection type.
Now, I wonder if there is any patch or update which makes the FTP adapter to communicate with connection type "implicit"?
Or if you have another workaround for us to utilize?please refer this blog for the FTPs connection.
http://scn.sap.com/people/rajasekhar.reddy14/blog/2010/04/13/how-to-configure-ftps-in-file-adapter -
Hello,
I am getting a strange error, and I don't know how to fix it!
I am trying to use the WebAssist behaviors to save the shopping
cart details and summary to the database, then redirect to the SSL.
(using ASP and MS SQL) When I redirect to the SSL page, I want to
pass the OrderID variable, which is a session ID. The page gives me
this error:
Microsoft VBScript runtime error '800a000d'
Type mismatch: '[string: "https://haydensports"]'
/shop/checkout_store.asp, line 104
If I refresh the page, it redirects correctly. I have tried
to jimmy it and just add an automatic refresh, but that doesn't
always work. I have included the full code, but here is line 104:
WA_redirectURL =
"https://haydensports.safesecureweb.com/SSL/shop_signin.asp?OrderID="
+ Session("OrderID") + ""
I attached the code!
I would appreciate any help!!
julieEvery now and then, the automatic type conversion does things
the wrong
direction (from your perspective - there isn't really a
"wrong" direction
with implicit conversion). Just convert your types
explicitly, or use the
other concatenation operator, or both:
WA_redirectURL =
"https://haydensports.safesecureweb.com/SSL/shop_signin.asp?OrderID="
CStr(Session("OrderID")) & ""
"tccdover" <[email protected]> wrote in
message
news:e6akqt$jp9$[email protected]..
> Hello,
> Microsoft VBScript runtime error '800a000d'
>
> Type mismatch: '[string: "https://haydensports"]'
>
> /shop/checkout_store.asp, line 104
>
> If I refresh the page, it redirects correctly. I have
tried to jimmy it
> and
> just add an automatic refresh, but that doesn't always
work. I have
> included
> the full code, but here is line 104:
> WA_redirectURL =
>
"https://haydensports.safesecureweb.com/SSL/shop_signin.asp?OrderID="
+
> Session("OrderID") + "" -
Dreamweaver CS 5.5 not working with Godaddy FTP with TLS/SSL
I've upgraded to CS 5.5 and tried to connect to a client's Godaddy account with FTP with TLS/SSL it fails. Works perfectly with my mac app Transmit every time as it always has. It doesn't work with implicit or explicit settings with authentication set to none or otherwise.
Can someone please let me know if Dreamweaver will ever be compatible with FTP with TLS/SSL and Godaddy? Or is there some setting I can try that will make it work now somehow?
Been waiting years for this....SnakEyez02 wrote:
First, that's a Godaddy problem if their security isn't up to par.
That may be the case that Godaddy is also at fault, but every other FTP app I use with Godaddy works fine. It's just Dreamweaver and has always been just Dreamweaver not working with a secure connection to Godaddy. Considering Godaddy is the largest webhost in the USA, you'd think Adobe would have fixed this years ago. I should also mention I'm not endorsing Godaddy and I understand there's plenty of people that don't like Godaddy for very good reasons.
Sent you PM with FTP account with Godaddy yesterday. Thank you for taking a look!
UPDATE: Whoops, I see you responded via private message already. I'll paste most of it here in hopes it helps others to understand the issue:
via SnakEyez02 PM:
Ok this took a lot of digging. I won't say it's not a DW issue 100% and I will report a bug for your problem, but DW is not the problem alone Godaddy needs to share the blame here for a bad certificate. Here is what is happening:
I'll start with DW:
- The settings are correct that were in the post. Port 21, FTP explicit, and the authentication should be set to None (encyprtion only). This is where the transmission is encrypted using SSL, but the certificate is shared and not specific to the domain owner. That is the difference between DW's "none" and "trusted". It's a poor choice of words I'll give them that. However, Godaddy seems to want all connections to be trusted thus the other error you get when you turn on the None option. Now could DW do what Transmit does, warn you and write in an unsigned certificate into the Keychain app, probably, is it best practice for security reasons to "Trust" an unsigned certificate probably not.
Now Transmit:
- As explained above Transmit opens up a prompt to override and create a fake-trusted signed certificate. Thus by forcing the OS to think a legitimate certificate is there it gets you through albeit through unconventional methods.
The problem:
- A good portion of this problem lies with Godaddy. Now I use a shared hosting account and set one up on an independant host for a friend of mine and both of them accept the shared certificates (SSL explicit). The difference is the hostname of the certificate. I ran a traceroute (from Network Utility in Utilities folder) on your website and came up with the following address: 173.201.23x.x.
The problem is that the certificate on your server is actually not for that server which is the reason DW seems to have such an issue with it. The SSL certificate that Godaddy put on your shared server is for host - 173.201.19x.5x. As you can see, it's a certificate for another server. Honestly the fact that Panic's Transmit allows this override scares me a little bit and the fact that Godaddy never noticed this issue either scares me to. So while DW could write in a bad certificate I can see why this is happening.
I know there is not much solice in my answer because it still doesn't alleviate the problem that you have with DW connecting. Unfortunately I do not have a workaround despite my numerous attempts to try and gain access over a secure connection. One alternative you could ask Godaddy for in the meantime is an SSH connection which would allow you to use SFTP instead of FTPS. But that's a short-term solution to a long-term problem.
If you think of anything else feel free to bounce any ideas off me I don't mind. Good luck in getting this solved and I will post a bug report to make Adobe aware of the issue.
Thank you for looking into this issue in depth like you have!
I think the issue might be that Godaddy is applying cost saving measures to keep their prices down in the way they implement their certificates (but it also wouldn't surprise me to know it's simply ineptitude on Godaddy's part either). I'm not sure I fault Panic with Transmit much at all because it clearly warns you about the certificate and it's your choice to continue. And, as it stands now, it's much safer to continue to connect that way with Transmit than to stop and connect with no encryption at all at a public hotspot.
As it stands now, you really shouldn't connect to Godaddy with Dreamweaver at a public hotspot unless you set up an SSH tunnel with your connection first. But enabling SSH is an added expense in many ways including paying for the service, using more computer resources for tunneling and time setting it up and implementation... all because Dreamweaver won't just allow developers the option like Transmit does.
Once again, thank you for looking at this and I hope someone at Adobe finally address this issue for the security of its customers who use Godaddy (which is often not their choice and was, instead, the choice of their clients to use Godaddy as a webhost).
Just a side note, I contacted Godaddy support about this several years ago and they were unresponsive and even hostile about it - So that's definitely another vote against Godaddy from me as well.
Message was edited by: greenbluewave
Maybe you are looking for
-
Hi! I worked with my Sony Recorder M15 and Premiere Pro CS4 for quite some time now, but suddenly my capture doesn't work anymore. The device is connected through a FireWirecable and is brand new, so that could not be the problem. I tried to find out
-
What is the correct file version?
Why does it appear that there are differing file versions for Firefox, Thunderbird and SeaMonkey depending where you look? Windows Explorer show one file version for example 1.9.2.3951 is the 3.6.12 product version but yet our SCCM reports 1.9.2.12 f
-
Whenever i try to install an app frorm my iMac to my iPod it tells me i need to authorise my mac even though i already have any help anyone?
-
Why do i only see Asian characters when i attempt to first sync my ipad?
when i first try to sync my ipad 2 it gives me Asian characters. how do I change it to English.
-
New majic mouse will not scroll
looking for settings to change or adjust majic mouse so that it will scroll .